I’m having a hard time with the idea of opening access to my AWS RDS Postgres DB to the world, with only password protection.
As far as I can see, there’s no way to get a static IP out of Netflify functions so I can whitelist IP access to my DB.
From Redwood’s website, I know there’s some work happening around databases for the Jamstack:
For now, you need to set up your own database, but we are working with various infrastructure providers to make this process simpler and more Jamstacky. Stay tuned for improvements in that regard!
Is the static IP issue being discussed as an issue at all?
There are some ways to fix that if the functions are implemented directly on AWS Lambda, but I’m curious to see the related plan for Redwood apps.
In my situation, this could be one of the decisive factors between going with Redwood vs using Next + AWS Lambda, so wanted to hear everyone else’s thoughts about it. Thanks in advance!
Hi @betocmn This is not something we have addressed (or are currently). I’m 100% with you that this is an important concern, although I can’t say personally this would be a dealbreaker for me. But given your specs, market requirements, etc. it makes sense your product might have a whitelist go/no-go line. And Next is a great framework that’s got a lot of years of maturity (and stability) on Redwood. None of the following is meant to talk you out of making pragmatic decisions based on your needs.
That said, I will definitely ask the Netlify team about this and pass along a link to this discussion. We have a great, collaborative relationship and they’re very excited about helping Redwood be successful in these early stages. We’ll see what they come back with.
In the near-term, do know that even though Redwood is configured to deploy to Netlify by default, you’re not locked into them as a hosting solution. Here’s an example from @Jaikant deploying only an API directly to AWS Lambdas. And if you want to look under the hood at Redwood’s build, here’s an example customization of the build script deploying to Netlify without using a DB (or Prisma). Conceivably you could use custom build scripts like these to deploy anywhere. Crazy example idea --> I have no idea if this would work ('cause networking config might be impossible), but conceivably you could directly deploy your API to AWS Lambda using an AWS DB (thus manually locking down security per your requirements) and host your static web assets on whatever CDN. (If you do try this and get it to work, you absolutely have to tell us about it… deal? )
Any security experts out there who could offer more guidance? Especially best practices around DB security and whitelisting IPs?
1 Like
Here’s the update from Netfliy:
this is something we’re looking into supporting, but not much we can do at the moment. Fine-grained control will require working with AWS direct for now.
So for the near-term IP whitelisting, deploying directly to AWS is likely the most viable option for an architecture that’s CDN + Lambdas + DB.
Keep us posted and definitely let us know if you do try to get new ways of deployment working. We’ll help as much as we can!
Thanks so much, @thedavid. Great to know this is something Netlify is planning on working on in the future (I’m very invested on them with the front-end for my main business with a more old-school backend).
It would be great to hear from more people as well how they see the password only thing as a security issue as well.
I will keep playing with Redwood and experiment with different deployment scenarios (thanks for the examples by the way) and will come back to share where I’m at later on.
1 Like
Hey @betocmn
Honestly, the level of effort to manage a whitelist of IPs for the sake of security is rarely worth it. There are any number of other systems an attacker can target (Netlify account, AWS account, the app’s admin console, your email, etc).
You can easily create DB creds that are impossible to brute force and so long as your store them safely (same goes for your AWS creds, etc) you’ll be fine.
1 Like
Thanks, @crabasa. You have a good point about all other systems, but I still have the option to enable 2-Factor-Authentication for most of them.
the level of effort to manage a whitelist of IPs for the sake of security is rarely worth it
I don’t entirely agree with that part tho. On AWS, you can get that out of the box with Elastic Beanstalk + RDS and the same for most other cloud providers.
I understand how it’s challenging right now as part of Netlify Functions / Redwood, but I don’t agree it’s “rarely worth it”. I think it’s an essential requirement for any commercial app.
My idea to share this was just to raise precisely how important that could be for future adoption. In my example, I’m delighted to continue playing with Redwood with my small personal side projects.
But for my primary business, it would be a dealbreaker even to start thinking about it without this kind of DB protection.
Thanks, everyone!
1 Like
I tend to agree with you on the “worth it” part; I think the problem here stems from the fact that Netlify doesn’t have a hosted DB offering on their platform. On other platforms such as AWS as you mentioned, or GCP, things are more closed up by default as they’re able to make Functions and DB live within the same private networks, or provide fixed IP ranges that you can whitelist easily.
If I may offer another way to look at this @betocmn, that would be to say that Redwood isn’t looking at being deployed exclusively on Netlify.
Other platforms will be supported, and when that happens you’d be able to benefit from the higher security they provide
It’s still the beginning though, so there’s no timeline set on this, but it’s part of the priorities and it will definitely happen ^^
In this case, whitelisting IP addresses of Netlify does not improve security. Attackers can just start a service on Netlify to masquerade the IP addresses. For security-sensitive applications, I think there’re 2 options:
- Deploy redwoodjs on EC2. Redwoodjs can run on my local machine. I’m sure it can run on an EC2 server. We can create a tool to deploy redwoodjs on EC2.
- Ask Netlify team to provide an EC2 compatible image in AWS Marketplace. You can point the deployment endpoint to the EC2 server instead of netlify.com.
In both cases, you whitelist the EC2 security group to RDS.
1 Like
@olance, I agree, that’s absolute the way I should be approaching this. Thanks so much!
1 Like
Ah, I’m glad I could give another perspective to the issue
FYI I’m working with @thedavid on outlining how Redwood would support different build/deploy scenarios and how we want to get there.
It’s still quite early, but once we make things public, feel free to chime in and help us build a PoC that would match your needs (unless you want to start right away ^^)!
I’ll try to remember to ping you!
@dnprock that’s a very good point